Over the past year we’ve seen a 71% increase in cyberattacks carried out using compromised login credentials. Were an attacker to gain access to a privileged account, it can have lasting damage to an organization’s reputation, causing long-term harm to its brand and relationships with customers and partners. This highlights the need for robust controls to safeguard privilege user accounts.
How Does Credential Harvesting Work?
Credential harvesting typically involves installing a malicious extension onto a website or application. Once installed, the extension records all login information, including usernames and passwords. These credentials can then be used to access sensitive information, such as bank account details, health records, or corporate networks and databases. Many credential harvesters prey on users who reuse passwords across multiple accounts. This makes it easier for cybercriminals to access sensitive information, as they only need to obtain one compromised password to gain access to other accounts. The ultimate goal of the cybercriminal is to gain access to sensitive information.
Credential harvesting attacks can take many forms, including:
- Phishing attacks, where victims are sent emails with links to bogus websites to enter their username or password
- Malicious attachments sent via email that launch credential-stealing malware
- Man-in-the-middle attacks, zero-day attacks, and other software vulnerability exploits
- Malicious insider misconduct
- Remote desktop protocol (RDP) attacks
- DNS spoofing
Once inside an organization, threat actors can:
- Hunt for and harvest credentials
- Root around in private key files, registries, and system administrators’ notes and files
- Look for hardcoded credentials within scripts or applications
NOTE: Some cybercriminals may also place a web shell in an organization’s environment, allowing them to interact with the system longer-term and collect additional information.
Common Techniques Used In Credential Harvesting Attacks
Below are some of the most notable techniques used in credential harvesting attacks:
- Malware – Malware is used to deploy infected attachments via mass email, which are then downloaded and deploy malware on user machines, capturing and recording login credentials.
- Phishing – Phishing attacks use trust in popular brands to trick victims into visiting malicious websites, where they enter their credentials, which are then captured by the credential harvester.
- Domain spoofing – Domain spoofing involves impersonating a known business or person with a fake website or email domain, using techniques like typosquatting, to fool users into trusting and sharing their credentials.
- Man-in-the-Middle (MitM) attacks – MitM attacks intercept and relay communications between two parties, allowing attackers to steal credentials and sensitive information, and eavesdrop on all communication to gather more information.
How To Identify Credential Harvesting Attempts
To detect credential harvesting attacks, it’s essential to monitor new domain registrations that may be typosquatting, as well as stay up-to-date on threat intelligence and vulnerability monitoring. Additionally, by leveraging AI and automation, security teams can quickly identify and respond to potential credential harvesting attacks, reducing the risk of successful breaches. These techniques are explained in more detail below.
Typosquatting Detection
To identify credential harvesting attacks, it’s essential to keep an eye on new domain registrations that may be typosquatting. This involves monitoring domains that are slightly altered versions of legitimate domains, hoping to catch unsuspecting users who unintentionally enter their credentials into these fake domains.
Threat Intelligence and Vulnerability Monitoring
Monitoring threat intelligence is also crucial in identifying credential harvesting attacks. This includes tracking Initial Access Brokers (IABs) on the dark web, as well as vulnerabilities being exploited by hackers during attacks on other companies. By staying up-to-date on the latest threat intelligence, security teams can anticipate potential attacks and take proactive measures to prevent them.
Using AI and Automation
Relying solely on human analysts to identify anomalies and patterns in large amounts of data can be limiting and inefficient. Instead, consider using AI and automation to help identify anomalies and patterns in data. This can help to reduce the workload of human analysts and allow them to focus on high-priority threats.
How To Prevent Credential Harvesting Attacks
Organizations can prevent credential harvesting attacks by taking a layered approach. This involves not only implementing technical measures but also addressing the human element. Below are the most notable ways to prevent credential harvesting attacks.
Implement multi-factor authentication (MFA)
Implementing multi-factor authentication (MFA) is a crucial security measure that can help to prevent credential harvesting attacks. By requiring users to provide two or more forms of evidence to verify their identity, MFA significantly raises the bar for potential attackers. This increased barrier to entry prevents malicious actors from compromising applications and systems using a single password, effectively preventing a major security vulnerability.
Security Awareness Training
Employee training can help employees understand how to avoid falling prey to phishing emails and other tactics used by attackers to trick them into entering their credentials.
Testing and Readiness
Organizations can test their employees’ readiness to respond to credential harvesting attacks by conducting regular simulations and training exercises. This can help identify vulnerabilities in the organization’s defenses and provide employees with the opportunity to practice their response to real-world attacks.
Protecting Email Channels
Email security is also crucial in preventing credential harvesting attacks. This involves being cautious of malicious links and attachments and being aware of VIP impersonation threats. Organizations can reduce the risk of credential harvesting by implementing robust email filtering and security measures, such as sandboxing and anti-phishing solutions.
Implementing an Insider Threat Program
In addition to preventing external attacks, organizations can also prevent credential harvesting by implementing an insider threat program. This program can help protect against malicious, compromised, or careless insiders, and should also include a strategy for the detection and analysis of user activity.
Database Protection
Organizations must protect their databases of credentials from unauthorized access, ensuring that access is granted only to authorized personnel. By implementing robust access controls and monitoring database activity, organizations can reduce the risk of credential harvesting and prevent insider attacks.
Conclusion
Cybercriminals use credential harvesting attacks to steal sensitive information, including usernames, passwords, credit card numbers, and other confidential data. As credential harvesting attacks continue to grow and evolve, businesses must take steps to safeguard their privileged accounts. By training employees on safe browsing practices, implementing multi-factor authentication, and regularly reviewing access credentials to ensure their security, companies can better protect their critical systems from credential harvesting attacks.